Added ordinal of ShellExec_RunDLL

swachchhanda000 · Nov 16, 2024 · 8acb167 · 8acb167
1 parent 5d1cf4b
commit 8acb167
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_susp_shellexec_execution.yml b/rules/windows/process_creation/proc_creation_win_rundll32_susp_shellexec_execution.yml
@@ -19,7 +19,9 @@ logsource:
     product: windows
 detection:
     selection_openasrundll:
-        CommandLine|contains: 'ShellExec_RunDLL'
+        CommandLine|contains:
+            - 'ShellExec_RunDLL' # rundll32 SHELL32.DLL,ShellExec_RunDLL "cmd.exe" "/c calc.exe"
+            - '#572' # rundll32 SHELL32.DLL,ShellExec_RunDLL "cmd.exe" "/c calc.exe"
     selection_suspcli:
         CommandLine|contains:
             # Add more LOLBINs and Susp Paths